On 28.02.17 19:28, Skip Montanaro wrote:
Most of the time (well, all the time if you're smart), you let the
database adapter do parameter substitution for you to avoid SQL
injection attacks (or stupid users). So:
curs.execute("select * from mumble where key = ?", (key,))
If you want to select from several possible keys, it would be nice to
be able to do this:
curs.execute("select * from mumble where key in (?)", (keys,))
but that doesn't work. Instead, you need to do your own parameter
substitution. The quick-and-insecure way to do this is:
curs.execute("select * from mumble where key in (%s)" %
",".join([repr(k) for k in keys]))
I'm pretty sure that's breakable.
curs.execute("select * from mumble where %s" %
" or ".join(["key = ?"] * len(keys)),
*keys)
--
https://mail.python.org/mailman/listinfo/python-list
